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CLAIM AMENDMENTS 

This listing of claims will replace all prior versions and listings of claims in the 
application. 
Listing of Claims 

1. (Currently Amended) A method of tracking-back a single malicious data packet in a 
connection-oriented communication networ k including a network node comprising a plurality of 
router interfaces, t he method comprising the steps of: 

a) for a given time window of a predetermined tenp h iTimc Period) e xt e nd i ng ov e r a 
eottfig umbl e tim e-period, computing a flow identifier that uniquely identifies tffen&fHeg 
uniqu e ly identifying a given flow seen by a respective router interface at said ( -heemi w Link ) at 
a-network node; 

b) inserting said flow identifier Flowld into a data structure storing flow identifier s 
computed at said respective router interface during said time vvindow as^ekted-te-&ai4- : Fiffle 
Period and - said Incoming Link, availabl e at said network nod e; 

c) storing said data structure in a searchable repository at said network node; 

d) repeating steps a) to c) for a plurality of successive time windows, wherein each router 
interface stores a separate data stru c ture for each time windowtt ext-jfr»^^ 

rout er i nt e rfac e at s aid network node, for all pack e t s s ee n at respective rout e r int e rf a ces o v er 
s ucces s ive time wmdev rer-fofr-p*^^ 

each associat e d to a respective time period and a one of said respectiv e rout e r interfaces ; 
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e) determining an a rr ival time window including a fee-time of arrival -X-of said single 
malicious packet at said network node, and computing a flow identifier f hwhi-foi said single 
malicious packet; and 

f) identifying said router interface Incoming Link for said single malicious packet by 
searching for the flow identifier f hwM-ot said single malicious packet in all data structures 

stored at said network node that contain data for said arrival time window for said netw ai?k-R0de 



2. (Canceled) 

3. (Previously Presented) The method of claim 1, further comprising tracing-back hop by 
hop the source of said single packet from said router, by performing steps e) and f) for each 



4. (Currently Amended) The method of claim 1, wherein step a) is based on ajlow 
definition adopted for said network. 




network node along the path of said single malicious packet. 



5, (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow. 
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6. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow and an incoming 
interface identification parameter. 

7. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more characteristics of each packet. 

8. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more characteristics of each packet received in said flow and an incoming 
interface identification parameter, 

9. (Original) The method of claim 1, wherein said data structure is a hash table based on a 
Bloom filter. 

10. (Original) The method of claim 1, wherein said searchable repository is maintained for 
each router interface at said network node. 

11. (Original) The method of claim 10, wherein said searchable repository stores all said 
data structures for all router interfaces at said network node. 



-4- 



Application No: 1 0/730,926 
Attorney's Docket No: ALC3106 

12. (Original) The method of claim 1, wherein said searchable database is a centralized 

searchable repository maintained for said network. 

13- (Currently Amended) A method of tracking-back a single malicious data packet in a 
connection-oriented communication networ k including a network node co mprising a plura lity o f 
router interfaces , the method comprising the steps of: 

a) for a given time window of a predet ermined \cm\h ffime- Porio({) e xtend Lna over a 
configurable time period , computing a flow identifier that uniquely identifies (Flowhi) for 
uf*k|ueiy-kle nt i fying -a given flow seen by a respective router interface at said (Jmomm&Linki f ki 
a-network node based on a flow characterization parameter obtained from a flow management 
system; 

b) inserting said flow identifier F iowld into a data structure storing flow identifiers 
co mputed at said respective router interface during said time window 7-^tTt^iftted-t^^i4^>^e 
Per i od and said Incoming Link, availabl e at said network nod e; 

c) storing said data structure in a database that is a centralized searchable repository; 

d) repeating steps a) to c) for a plurality of successive time windows, wherein each router 
interface stores a separate data structure for each time window nex-t-y^^^Wof7--and --fer-eaeh 
Incoming link at said - network nod e , for all pack e t s see n at respective router int e rfaces over 

e ach associated to a r e sp e cti v e time p e riod and a on e- of said resp e cti ve router interfaces ; and 
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e) finding, in said searchable repository^ the router interface h ieem ing Link for said single 

malicious packet bv searching for a corresponding flow identifier in all data structures containing 

data for an arrival t ime window , wher ein the arrival time window includes y time of arri val of 

said single malicious packet basod on a Flawhi and a time of arrival X of said s ing le malic ious 

packet. 

14. (Currently Amended) A system for tracking-back a single malicious data packet in a 
connection-oriented communication, comprising: 

means for computing a flow identifier that uniquely identifies / ^^/#^ef--bffiiwelv 
identifying a given flow seen by a router interface (Incoming Link) at a network node evef -dufing 
a given time window of a predetermined len gt h pwed- of4iffl^ extend rng-over-a 
configurable time period ; 

means for inserting said flow i dentifier fi tewfafinto a data structure storing flow identifiers 
computed at said router interface during said time window assoointod to said Timv Pcrw drmA 

a database that is a centralized searchable repository for storing said data structure; and 
a search engine for finding, in said searchable repository,, the router interfac e-faeww^g 
Link for said single malicious packet bv searching for a corresponding flow identifier in all data 
s tructur es containing data for an arrival time window, wherein the ar rival t ime window includes 
a time of arrival of said single malicious packet based on a Flowld and a t i me of arrival X of said 

IT ITT J I CTtTtXr? J /Own w I • 
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15. (Previously Presented) The system of claim 14 further comprising a flow-based 
monitoring system for tracking back hop-by-hop the sourcef of said single malicious packet. 

16. (Currently Amended) The system of claim 14, wherein efl^-saidji searchable repository 
is maintained for each interface at said network node. 

17. (Currently Amended) The system of claim 14, wherein one s aid a_searchable repository 
is maintained for said network node. 

18. (Currently Amended) The system of claim 14, wherein said searchable repository is a 
centralized database maintained maintained' for said network. 

19. (Original) The system of claim 14, further comprising a flow based monitoring system 
for providing a flow characterization parameter to said means for calculating. 

20. (Original) The system of claim 14 further comprising a flow management system for 
generating a flow characterization parameter. 



21. (Currently Amended) The system of claim 20, wherein said means for computing is a 
flow identifier fi&w/tf-calculator for computing said flow identifier from at least on e oXF Umki 
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fenrnt)^FH^F~fiiore^f--packet header fields, packet characterization parameters^ and interface 

identification information. 

22. (Currently Amended) The system of chim 20, wherein said means for computing is a 
flow identifier ff^vt^calculator for computing said flow identifier from f hwM-4<H=m- jacket 
header information. 



